The Article 29 Data Protection Working Party (Working Party) released Opinion 9/2014 on ePrivacy Directive 2002/58/EC (amended in 2009), stating that the consent and transparency mechanisms apply to digital fingerprinting of devices (Opinion).
The Working Party issued the opinion to clarify that consent was required and to end “surreptitious tracking” of users in light of the increasing use of profiling technologies in an attempt to avoid reliance on cookies.
The Opinion defines ‘fingerprint’ as including “a set of information that can be used to single out, link or infer a user, user agent or device over time”, and that the consent requirement applies to website publishers, third parties and the use of Application Programming Interfaces.
The Opinion sets out practical guidance providing six scenarios and requires prior consent for:
- First-party website analytics – there is no exemption to obtaining consent for cookies that are strictly limited to first-party anonymised and aggregated statistical purposes
- Tracking for online behavioural advertising
- User access and control – where fingerprinting comprises information elements which store or gain access to information of the user’s device because such purposes are not considered “strictly necessary” to provide functionality explicitly requested by a user
As with cookies, consent is not required if fingerprinting is used for adapting the user interface to the device solely for network management, or as a security tool to prevent unauthorised access to services those users have accessed in the past.
Companies will now have to make clear in cookie policies, uses of alternative technological processes that can enable them to create a profile of users. The UK Information Commissioner’s Office welcomed the Opinion.